npm - cloudflare-access - Versions diffs - 1.0.0 - Mend

cloudflare-access 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (70) hide show

package/LICENSE +21 -0
package/README.md +452 -0
package/dist/adapters/effect/index.d.mts +167 -0
package/dist/adapters/effect/index.d.ts +167 -0
package/dist/adapters/effect/index.js +221 -0
package/dist/adapters/effect/index.js.map +1 -0
package/dist/adapters/effect/index.mjs +221 -0
package/dist/adapters/effect/index.mjs.map +1 -0
package/dist/adapters/express/index.d.mts +74 -0
package/dist/adapters/express/index.d.ts +74 -0
package/dist/adapters/express/index.js +129 -0
package/dist/adapters/express/index.js.map +1 -0
package/dist/adapters/express/index.mjs +129 -0
package/dist/adapters/express/index.mjs.map +1 -0
package/dist/adapters/fastify/index.d.mts +111 -0
package/dist/adapters/fastify/index.d.ts +111 -0
package/dist/adapters/fastify/index.js +140 -0
package/dist/adapters/fastify/index.js.map +1 -0
package/dist/adapters/fastify/index.mjs +140 -0
package/dist/adapters/fastify/index.mjs.map +1 -0
package/dist/adapters/hono/index.d.mts +19 -0
package/dist/adapters/hono/index.d.ts +19 -0
package/dist/adapters/hono/index.js +45 -0
package/dist/adapters/hono/index.js.map +1 -0
package/dist/adapters/hono/index.mjs +45 -0
package/dist/adapters/hono/index.mjs.map +1 -0
package/dist/adapters/nestjs/index.d.mts +123 -0
package/dist/adapters/nestjs/index.d.ts +123 -0
package/dist/adapters/nestjs/index.js +117 -0
package/dist/adapters/nestjs/index.js.map +1 -0
package/dist/adapters/nestjs/index.mjs +117 -0
package/dist/adapters/nestjs/index.mjs.map +1 -0
package/dist/chunk-DM2KGIQX.mjs +320 -0
package/dist/chunk-DM2KGIQX.mjs.map +1 -0
package/dist/chunk-LQWCGHLJ.mjs +108 -0
package/dist/chunk-LQWCGHLJ.mjs.map +1 -0
package/dist/chunk-PMFPT3SI.js +108 -0
package/dist/chunk-PMFPT3SI.js.map +1 -0
package/dist/chunk-WUJPWM4T.js +320 -0
package/dist/chunk-WUJPWM4T.js.map +1 -0
package/dist/config-D4O7DXNT.d.mts +12 -0
package/dist/config-ottUdc-K.d.ts +12 -0
package/dist/core/index.d.mts +24 -0
package/dist/core/index.d.ts +24 -0
package/dist/core/index.js +41 -0
package/dist/core/index.js.map +1 -0
package/dist/core/index.mjs +41 -0
package/dist/core/index.mjs.map +1 -0
package/dist/index.d.mts +6 -0
package/dist/index.d.ts +6 -0
package/dist/index.js +41 -0
package/dist/index.js.map +1 -0
package/dist/index.mjs +41 -0
package/dist/index.mjs.map +1 -0
package/dist/jwks-ChdyyS_L.d.mts +173 -0
package/dist/jwks-ChdyyS_L.d.ts +173 -0
package/dist/middleware-BDl6jUCu.d.mts +83 -0
package/dist/middleware-CgFsjM20.d.ts +83 -0
package/examples/basic.ts +52 -0
package/examples/cloudflare-workers.ts +84 -0
package/examples/custom-handlers.ts +85 -0
package/examples/effect/http-server.ts +205 -0
package/examples/email-allowlist.ts +50 -0
package/examples/express/basic.ts +26 -0
package/examples/fastify/basic.ts +24 -0
package/examples/hono/basic.ts +26 -0
package/examples/hono-router.ts +74 -0
package/examples/nestjs/basic.ts +39 -0
package/examples/skip-dev-mode.ts +89 -0
package/package.json +178 -0

package/dist/adapters/effect/index.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/adapters/effect/errors.ts","../../../src/adapters/effect/context.ts","../../../src/adapters/effect/middleware.ts","../../../src/adapters/effect/utils.ts"],"sourcesContent":["import { Schema } from \"effect\";\nimport { HttpApiSchema } from \"@effect/platform\";\n\n/**\n * Unauthorized error schema for Effect Platform\n */\nexport class Unauthorized extends Schema.TaggedError<Unauthorized>()(\n \"Unauthorized\",\n {\n message: Schema.String,\n code: Schema.String,\n },\n HttpApiSchema.annotations({ status: 401 }),\n) {}\n\n/**\n * Forbidden error schema for Effect Platform\n */\nexport class Forbidden extends Schema.TaggedError<Forbidden>()(\n \"Forbidden\",\n {\n message: Schema.String,\n email: Schema.String,\n },\n HttpApiSchema.annotations({ status: 403 }),\n) {}\n","import { Context } from \"effect\";\nimport type { CloudflareAccessUser } from \"../../core/index\";\n\n/**\n * Context Tag for the authenticated user.\n * Use this to access the current user in your handlers.\n *\n * @example\n * ```typescript\n * import { Effect } from \"effect\";\n * import { CurrentUser } from \"cloudflare-access/effect\";\n *\n * const handler = Effect.gen(function* () {\n * const user = yield* CurrentUser;\n * console.log(`Hello ${user.email}`);\n * return user;\n * });\n * ```\n */\nexport class CurrentUser extends Context.Tag(\"cloudflare-access/CurrentUser\")<\n CurrentUser,\n CloudflareAccessUser\n>() {}\n","import { Effect, Layer, Redacted, Schema } from \"effect\";\nimport { HttpApiMiddleware, HttpApiSecurity, HttpServerRequest } from \"@effect/platform\";\nimport { validateCloudflareAccessToken, CloudflareAccessErrorCode } from \"../../core/index\";\nimport type { CloudflareAccessMiddlewareOptions } from \"./types\";\nimport { Unauthorized, Forbidden } from \"./errors\";\nimport { CurrentUser } from \"./context\";\n\n/**\n * Cloudflare Access authentication middleware class.\n *\n * Use this class directly in your API middleware definitions.\n *\n * @example\n * ```typescript\n * import { HttpApi, HttpApiGroup, HttpApiEndpoint } from \"@effect/platform\";\n * import { Schema, Effect, Layer } from \"effect\";\n * import {\n * CloudflareAccessAuth,\n * CurrentUser,\n * makeCloudflareAccessLive,\n * Unauthorized,\n * Forbidden\n * } from \"cloudflare-access/effect\";\n *\n * // Configure the middleware\n * const CloudflareAccessLive = makeCloudflareAccessLive({\n * accessConfig: {\n * teamDomain: \"https://yourteam.cloudflareaccess.com\",\n * audTag: \"your-audience-tag\",\n * },\n * allowedEmails: [\"admin@example.com\"],\n * skipInDev: true,\n * environment: \"dev\",\n * });\n *\n * // Define API with protected endpoints\n * const User = Schema.Struct({ email: Schema.String });\n *\n * const api = HttpApi.make(\"api\").add(\n * HttpApiGroup.make(\"users\").add(\n * HttpApiEndpoint.get(\"profile\", \"/profile\")\n * .addSuccess(User)\n * .middleware(CloudflareAccessAuth)\n * )\n * );\n *\n * // Implement handlers with access to CurrentUser\n * const UsersLive = HttpApiBuilder.group(api, \"users\", (handlers) =>\n * Effect.gen(function* () {\n * const user = yield* CurrentUser;\n * return handlers.handle(\"profile\", () =>\n * Effect.succeed({ email: user.email })\n * );\n * })\n * ).pipe(Layer.provide(CloudflareAccessLive));\n * ```\n */\nexport class CloudflareAccessAuth extends HttpApiMiddleware.Tag<CloudflareAccessAuth>()(\n \"CloudflareAccessAuth\",\n {\n provides: CurrentUser,\n failure: Schema.Union(Unauthorized, Forbidden),\n security: {\n bearer: HttpApiSecurity.bearer,\n },\n },\n) {}\n\n/**\n * Create a Layer that implements Cloudflare Access authentication.\n *\n * This layer validates the Cloudflare Access JWT token from the request\n * and provides the authenticated user via the CurrentUser context.\n *\n * @param options Configuration for Cloudflare Access\n * @returns Layer that provides authentication\n */\nexport const makeCloudflareAccessLive = (options: CloudflareAccessMiddlewareOptions) => {\n return Layer.succeed(\n CloudflareAccessAuth,\n CloudflareAccessAuth.of({\n bearer: (bearerToken) =>\n Effect.gen(function* () {\n const request = yield* HttpServerRequest.HttpServerRequest;\n const token = Redacted.value(bearerToken);\n\n // Wrap the async validation in an Effect\n const result = yield* Effect.promise(() =>\n validateCloudflareAccessToken(\n token,\n {\n accessConfig: options.accessConfig,\n allowedEmails: options.allowedEmails,\n skipInDev: options.skipInDev,\n environment: options.environment,\n },\n request.url,\n ),\n );\n\n // Handle validation result\n if (!result.success) {\n const errorCode = result.error?.code ?? CloudflareAccessErrorCode.INVALID_TOKEN;\n const errorMessage = result.error?.message ?? \"Authentication failed\";\n\n if (errorCode === CloudflareAccessErrorCode.AUTH_REQUIRED) {\n return yield* Effect.fail(\n new Unauthorized({ message: errorMessage, code: \"AUTH_REQUIRED\" }),\n );\n }\n\n if (errorCode === CloudflareAccessErrorCode.ACCESS_DENIED) {\n return yield* Effect.fail(\n new Forbidden({\n message: errorMessage,\n email: result.user?.email ?? \"unknown\",\n }),\n );\n }\n\n return yield* Effect.fail(new Unauthorized({ message: errorMessage, code: errorCode }));\n }\n\n // Dev mode skip case (result.user can be null when skipped)\n if (!result.user) {\n return {\n email: \"dev@example.com\",\n userId: \"dev-user\",\n country: \"dev\",\n };\n }\n\n return result.user;\n }),\n }),\n );\n};\n","import { Effect, Option } from \"effect\";\nimport { HttpServerRequest } from \"@effect/platform\";\nimport {\n validateCloudflareAccessToken,\n CloudflareAccessError,\n CloudflareAccessErrorCode,\n AuthRequiredError,\n InvalidTokenError,\n AccessDeniedError,\n isCloudflareAccessError,\n type CloudflareAccessUser,\n} from \"../../core/index\";\nimport type { CloudflareAccessMiddlewareOptions } from \"./types\";\n\n/**\n * Extract Cloudflare Access token from request headers.\n * Looks for CF-Access-JWT-Assertion header.\n *\n * @param request HTTP server request\n * @returns Option with token if present\n */\nexport const extractToken = (\n request: HttpServerRequest.HttpServerRequest,\n): Option.Option<string> => {\n const token = request.headers[\"cf-access-jwt-assertion\"];\n return Option.fromNullable(token);\n};\n\n/**\n * Authenticate using the CF-Access-JWT-Assertion header directly.\n * This bypasses the HttpApiSecurity bearer token pattern.\n *\n * @param request HTTP server request\n * @param options Authentication options\n * @returns Effect with authenticated user or error\n */\nexport const authenticateRequest = (\n request: HttpServerRequest.HttpServerRequest,\n options: CloudflareAccessMiddlewareOptions,\n): Effect.Effect<CloudflareAccessUser, CloudflareAccessError, never> => {\n return Effect.gen(function* () {\n const token = extractToken(request);\n\n const result = yield* Effect.tryPromise({\n try: async () => {\n return await validateCloudflareAccessToken(\n Option.getOrUndefined(token),\n {\n accessConfig: options.accessConfig,\n allowedEmails: options.allowedEmails,\n skipInDev: options.skipInDev,\n environment: options.environment,\n },\n request.url,\n );\n },\n catch: (error) => {\n if (isCloudflareAccessError(error)) {\n return error;\n }\n return new CloudflareAccessError(\n CloudflareAccessErrorCode.INVALID_TOKEN,\n error instanceof Error ? error.message : \"Unknown error\",\n { context: { requestUrl: request.url } },\n );\n },\n });\n\n // Handle case where catch block returned a CloudflareAccessError directly\n if (result instanceof CloudflareAccessError) {\n return yield* Effect.fail(result);\n }\n\n if (!result.success) {\n const errorCode = result.error?.code ?? CloudflareAccessErrorCode.INVALID_TOKEN;\n const errorMessage = result.error?.message ?? \"Authentication failed\";\n\n switch (errorCode) {\n case CloudflareAccessErrorCode.AUTH_REQUIRED:\n return yield* Effect.fail(\n new AuthRequiredError({\n context: { requestUrl: request.url, ...result.error.context },\n }),\n );\n case CloudflareAccessErrorCode.ACCESS_DENIED:\n return yield* Effect.fail(\n new AccessDeniedError(result.user?.email ?? \"unknown\", {\n requestUrl: request.url,\n allowedEmails: options.allowedEmails,\n }),\n );\n case CloudflareAccessErrorCode.INVALID_TOKEN:\n return yield* Effect.fail(\n new InvalidTokenError(errorMessage, {\n requestUrl: request.url,\n }),\n );\n default:\n return yield* Effect.fail(\n new CloudflareAccessError(errorCode, errorMessage, {\n context: { requestUrl: request.url, ...result.error.context },\n }),\n );\n }\n }\n\n // Dev mode skip case\n if (!result.user) {\n return {\n email: \"dev@example.com\",\n userId: \"dev-user\",\n country: \"dev\",\n };\n }\n\n return result.user;\n });\n};\n\n/**\n * Get user as Option (returns None on auth failure)\n */\nexport const getUser = (\n request: HttpServerRequest.HttpServerRequest,\n options: CloudflareAccessMiddlewareOptions,\n): Effect.Effect<Option.Option<CloudflareAccessUser>, never, never> => {\n return authenticateRequest(request, options).pipe(\n Effect.map((user) => Option.some(user)),\n Effect.catchAll(() => Effect.succeed(Option.none<CloudflareAccessUser>())),\n );\n};\n\n/**\n * Authenticate and return Either (for explicit error handling)\n */\nexport const authenticateEither = (\n request: HttpServerRequest.HttpServerRequest,\n options: CloudflareAccessMiddlewareOptions,\n) => {\n return Effect.either(authenticateRequest(request, options));\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAAA,SAAS,cAAc;AACvB,SAAS,qBAAqB;AAKvB,IAAM,eAAN,cAA2B,OAAO,YAA0B;AAAA,EACjE;AAAA,EACA;AAAA,IACE,SAAS,OAAO;AAAA,IAChB,MAAM,OAAO;AAAA,EACf;AAAA,EACA,cAAc,YAAY,EAAE,QAAQ,IAAI,CAAC;AAC3C,EAAE;AAAC;AAKI,IAAM,YAAN,cAAwB,OAAO,YAAuB;AAAA,EAC3D;AAAA,EACA;AAAA,IACE,SAAS,OAAO;AAAA,IAChB,OAAO,OAAO;AAAA,EAChB;AAAA,EACA,cAAc,YAAY,EAAE,QAAQ,IAAI,CAAC;AAC3C,EAAE;AAAC;;;ACzBH,SAAS,eAAe;AAmBjB,IAAM,cAAN,cAA0B,QAAQ,IAAI,+BAA+B,EAG1E,EAAE;AAAC;;;ACtBL,SAAS,QAAQ,OAAO,UAAU,UAAAA,eAAc;AAChD,SAAS,mBAAmB,iBAAiB,yBAAyB;AAwD/D,IAAM,uBAAN,cAAmC,kBAAkB,IAA0B;AAAA,EACpF;AAAA,EACA;AAAA,IACE,UAAU;AAAA,IACV,SAASC,QAAO,MAAM,cAAc,SAAS;AAAA,IAC7C,UAAU;AAAA,MACR,QAAQ,gBAAgB;AAAA,IAC1B;AAAA,EACF;AACF,EAAE;AAAC;AAWI,IAAM,2BAA2B,CAAC,YAA+C;AACtF,SAAO,MAAM;AAAA,IACX;AAAA,IACA,qBAAqB,GAAG;AAAA,MACtB,QAAQ,CAAC,gBACP,OAAO,IAAI,aAAa;AACtB,cAAM,UAAU,OAAO,kBAAkB;AACzC,cAAM,QAAQ,SAAS,MAAM,WAAW;AAGxC,cAAM,SAAS,OAAO,OAAO;AAAA,UAAQ,MACnC;AAAA,YACE;AAAA,YACA;AAAA,cACE,cAAc,QAAQ;AAAA,cACtB,eAAe,QAAQ;AAAA,cACvB,WAAW,QAAQ;AAAA,cACnB,aAAa,QAAQ;AAAA,YACvB;AAAA,YACA,QAAQ;AAAA,UACV;AAAA,QACF;AAGA,YAAI,CAAC,OAAO,SAAS;AACnB,gBAAM,YAAY,OAAO,OAAO,QAAQ,0BAA0B;AAClE,gBAAM,eAAe,OAAO,OAAO,WAAW;AAE9C,cAAI,cAAc,0BAA0B,eAAe;AACzD,mBAAO,OAAO,OAAO;AAAA,cACnB,IAAI,aAAa,EAAE,SAAS,cAAc,MAAM,gBAAgB,CAAC;AAAA,YACnE;AAAA,UACF;AAEA,cAAI,cAAc,0BAA0B,eAAe;AACzD,mBAAO,OAAO,OAAO;AAAA,cACnB,IAAI,UAAU;AAAA,gBACZ,SAAS;AAAA,gBACT,OAAO,OAAO,MAAM,SAAS;AAAA,cAC/B,CAAC;AAAA,YACH;AAAA,UACF;AAEA,iBAAO,OAAO,OAAO,KAAK,IAAI,aAAa,EAAE,SAAS,cAAc,MAAM,UAAU,CAAC,CAAC;AAAA,QACxF;AAGA,YAAI,CAAC,OAAO,MAAM;AAChB,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,QAAQ;AAAA,YACR,SAAS;AAAA,UACX;AAAA,QACF;AAEA,eAAO,OAAO;AAAA,MAChB,CAAC;AAAA,IACL,CAAC;AAAA,EACH;AACF;;;ACxIA,SAAS,UAAAC,SAAQ,cAAc;AAqBxB,IAAM,eAAe,CAC1B,YAC0B;AAC1B,QAAM,QAAQ,QAAQ,QAAQ,yBAAyB;AACvD,SAAO,OAAO,aAAa,KAAK;AAClC;AAUO,IAAM,sBAAsB,CACjC,SACA,YACsE;AACtE,SAAOC,QAAO,IAAI,aAAa;AAC7B,UAAM,QAAQ,aAAa,OAAO;AAElC,UAAM,SAAS,OAAOA,QAAO,WAAW;AAAA,MACtC,KAAK,YAAY;AACf,eAAO,MAAM;AAAA,UACX,OAAO,eAAe,KAAK;AAAA,UAC3B;AAAA,YACE,cAAc,QAAQ;AAAA,YACtB,eAAe,QAAQ;AAAA,YACvB,WAAW,QAAQ;AAAA,YACnB,aAAa,QAAQ;AAAA,UACvB;AAAA,UACA,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,MACA,OAAO,CAAC,UAAU;AAChB,YAAI,wBAAwB,KAAK,GAAG;AAClC,iBAAO;AAAA,QACT;AACA,eAAO,IAAI;AAAA,UACT,0BAA0B;AAAA,UAC1B,iBAAiB,QAAQ,MAAM,UAAU;AAAA,UACzC,EAAE,SAAS,EAAE,YAAY,QAAQ,IAAI,EAAE;AAAA,QACzC;AAAA,MACF;AAAA,IACF,CAAC;AAGD,QAAI,kBAAkB,uBAAuB;AAC3C,aAAO,OAAOA,QAAO,KAAK,MAAM;AAAA,IAClC;AAEA,QAAI,CAAC,OAAO,SAAS;AACnB,YAAM,YAAY,OAAO,OAAO,QAAQ,0BAA0B;AAClE,YAAM,eAAe,OAAO,OAAO,WAAW;AAE9C,cAAQ,WAAW;AAAA,QACjB,KAAK,0BAA0B;AAC7B,iBAAO,OAAOA,QAAO;AAAA,YACnB,IAAI,kBAAkB;AAAA,cACpB,SAAS,EAAE,YAAY,QAAQ,KAAK,GAAG,OAAO,MAAM,QAAQ;AAAA,YAC9D,CAAC;AAAA,UACH;AAAA,QACF,KAAK,0BAA0B;AAC7B,iBAAO,OAAOA,QAAO;AAAA,YACnB,IAAI,kBAAkB,OAAO,MAAM,SAAS,WAAW;AAAA,cACrD,YAAY,QAAQ;AAAA,cACpB,eAAe,QAAQ;AAAA,YACzB,CAAC;AAAA,UACH;AAAA,QACF,KAAK,0BAA0B;AAC7B,iBAAO,OAAOA,QAAO;AAAA,YACnB,IAAI,kBAAkB,cAAc;AAAA,cAClC,YAAY,QAAQ;AAAA,YACtB,CAAC;AAAA,UACH;AAAA,QACF;AACE,iBAAO,OAAOA,QAAO;AAAA,YACnB,IAAI,sBAAsB,WAAW,cAAc;AAAA,cACjD,SAAS,EAAE,YAAY,QAAQ,KAAK,GAAG,OAAO,MAAM,QAAQ;AAAA,YAC9D,CAAC;AAAA,UACH;AAAA,MACJ;AAAA,IACF;AAGA,QAAI,CAAC,OAAO,MAAM;AAChB,aAAO;AAAA,QACL,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,SAAS;AAAA,MACX;AAAA,IACF;AAEA,WAAO,OAAO;AAAA,EAChB,CAAC;AACH;AAKO,IAAM,UAAU,CACrB,SACA,YACqE;AACrE,SAAO,oBAAoB,SAAS,OAAO,EAAE;AAAA,IAC3CA,QAAO,IAAI,CAAC,SAAS,OAAO,KAAK,IAAI,CAAC;AAAA,IACtCA,QAAO,SAAS,MAAMA,QAAO,QAAQ,OAAO,KAA2B,CAAC,CAAC;AAAA,EAC3E;AACF;AAKO,IAAM,qBAAqB,CAChC,SACA,YACG;AACH,SAAOA,QAAO,OAAO,oBAAoB,SAAS,OAAO,CAAC;AAC5D;","names":["Schema","Schema","Effect","Effect"]}

package/dist/adapters/express/index.d.mts ADDED Viewed

@@ -0,0 +1,74 @@
+import { g as CloudflareAccessUser, C as CloudflareAccessConfig } from '../../jwks-ChdyyS_L.mjs';
+export { A as AccessDeniedError, a as AuthRequiredError, c as CloudflareAccessError, d as CloudflareAccessErrorCode, e as CloudflareAccessMiddlewareEnv, f as CloudflareAccessPayload, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, t as toAuthError } from '../../jwks-ChdyyS_L.mjs';
+import { Request, Response, NextFunction } from 'express';
+import 'jose';
+declare global {
+    namespace Express {
+        interface Request {
+            /** Authenticated user from Cloudflare Access */
+            user?: CloudflareAccessUser;
+        }
+    }
+}
+/**
+ * Options for creating Cloudflare Access authentication middleware for Express
+ */
+interface CloudflareAccessAuthOptions {
+    /** Cloudflare Access configuration */
+    accessConfig: CloudflareAccessConfig;
+    /** Optional email allowlist. Access policy should still be configured at Cloudflare. */
+    allowedEmails?: string[];
+    /** Custom unauthorized handler */
+    onUnauthorized?: (req: Request, res: Response, reason: string) => void | Promise<void>;
+    /** Custom forbidden handler */
+    onForbidden?: (req: Request, res: Response, email: string) => void | Promise<void>;
+    /** Paths to exclude from auth check */
+    excludePaths?: string[];
+    /** Whether to skip JWT validation outside production */
+    skipInDev?: boolean;
+    /** Environment indicator */
+    environment?: string;
+}
+/**
+ * Generate unauthorized response
+ */
+declare function unauthorizedResponse(res: Response, reason: string): void;
+/**
+ * Generate auth required response
+ */
+declare function authRequiredResponse(res: Response): void;
+/**
+ * Generate forbidden response
+ */
+declare function forbiddenResponse(res: Response): void;
+/**
+ * Creates secure Cloudflare Access authentication middleware for Express.
+ *
+ * @param options - Configuration options
+ * @returns Express middleware handler
+ *
+ * @example
+ * ```typescript
+ * import express from 'express';
+ * import { cloudflareAccessAuth } from 'cloudflare-access/adapters/express';
+ *
+ * const app = express();
+ *
+ * app.use(cloudflareAccessAuth({
+ *   accessConfig: {
+ *     teamDomain: 'https://yourteam.cloudflareaccess.com',
+ *     audTag: 'your-audience-tag',
+ *   },
+ * }));
+ *
+ * app.get('/protected', (req, res) => {
+ *   res.json({ email: req.user?.email });
+ * });
+ * ```
+ */
+declare function cloudflareAccessAuth(options: CloudflareAccessAuthOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+export { type CloudflareAccessAuthOptions, CloudflareAccessConfig, CloudflareAccessUser, authRequiredResponse, cloudflareAccessAuth, cloudflareAccessAuth as default, forbiddenResponse, unauthorizedResponse };

package/dist/adapters/express/index.d.ts ADDED Viewed

@@ -0,0 +1,74 @@
+import { g as CloudflareAccessUser, C as CloudflareAccessConfig } from '../../jwks-ChdyyS_L.js';
+export { A as AccessDeniedError, a as AuthRequiredError, c as CloudflareAccessError, d as CloudflareAccessErrorCode, e as CloudflareAccessMiddlewareEnv, f as CloudflareAccessPayload, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, t as toAuthError } from '../../jwks-ChdyyS_L.js';
+import { Request, Response, NextFunction } from 'express';
+import 'jose';
+declare global {
+    namespace Express {
+        interface Request {
+            /** Authenticated user from Cloudflare Access */
+            user?: CloudflareAccessUser;
+        }
+    }
+}
+/**
+ * Options for creating Cloudflare Access authentication middleware for Express
+ */
+interface CloudflareAccessAuthOptions {
+    /** Cloudflare Access configuration */
+    accessConfig: CloudflareAccessConfig;
+    /** Optional email allowlist. Access policy should still be configured at Cloudflare. */
+    allowedEmails?: string[];
+    /** Custom unauthorized handler */
+    onUnauthorized?: (req: Request, res: Response, reason: string) => void | Promise<void>;
+    /** Custom forbidden handler */
+    onForbidden?: (req: Request, res: Response, email: string) => void | Promise<void>;
+    /** Paths to exclude from auth check */
+    excludePaths?: string[];
+    /** Whether to skip JWT validation outside production */
+    skipInDev?: boolean;
+    /** Environment indicator */
+    environment?: string;
+}
+/**
+ * Generate unauthorized response
+ */
+declare function unauthorizedResponse(res: Response, reason: string): void;
+/**
+ * Generate auth required response
+ */
+declare function authRequiredResponse(res: Response): void;
+/**
+ * Generate forbidden response
+ */
+declare function forbiddenResponse(res: Response): void;
+/**
+ * Creates secure Cloudflare Access authentication middleware for Express.
+ *
+ * @param options - Configuration options
+ * @returns Express middleware handler
+ *
+ * @example
+ * ```typescript
+ * import express from 'express';
+ * import { cloudflareAccessAuth } from 'cloudflare-access/adapters/express';
+ *
+ * const app = express();
+ *
+ * app.use(cloudflareAccessAuth({
+ *   accessConfig: {
+ *     teamDomain: 'https://yourteam.cloudflareaccess.com',
+ *     audTag: 'your-audience-tag',
+ *   },
+ * }));
+ *
+ * app.get('/protected', (req, res) => {
+ *   res.json({ email: req.user?.email });
+ * });
+ * ```
+ */
+declare function cloudflareAccessAuth(options: CloudflareAccessAuthOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+export { type CloudflareAccessAuthOptions, CloudflareAccessConfig, CloudflareAccessUser, authRequiredResponse, cloudflareAccessAuth, cloudflareAccessAuth as default, forbiddenResponse, unauthorizedResponse };

package/dist/adapters/express/index.js ADDED Viewed

@@ -0,0 +1,129 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
+var _chunkWUJPWM4Tjs = require('../../chunk-WUJPWM4T.js');
+// src/adapters/express/responses.ts
+function unauthorizedResponse(res, reason) {
+  res.status(401).json({
+    success: false,
+    error: {
+      code: "INVALID_TOKEN",
+      message: "Invalid authentication token",
+      why: reason,
+      fix: "Please sign in again via Cloudflare Access"
+    }
+  });
+}
+function authRequiredResponse(res) {
+  res.status(401).json({
+    success: false,
+    error: {
+      code: "AUTH_REQUIRED",
+      message: "Unauthorized",
+      why: "Authentication required via Cloudflare Access",
+      fix: "Sign in via Cloudflare Access"
+    }
+  });
+}
+function forbiddenResponse(res) {
+  res.status(403).json({
+    success: false,
+    error: {
+      code: "ACCESS_DENIED",
+      message: "Forbidden",
+      why: "Your email is not authorized to access this resource",
+      fix: "Contact an administrator if you need access"
+    }
+  });
+}
+// src/adapters/express/middleware.ts
+function cloudflareAccessAuth(options) {
+  const allowedEmails = _nullishCoalesce(options.allowedEmails, () => ( null));
+  return async (req, res, next) => {
+    const path = req.path;
+    const method = req.method;
+    if (_optionalChain([options, 'access', _ => _.excludePaths, 'optionalAccess', _2 => _2.includes, 'call', _3 => _3(path)]) || method === "OPTIONS") {
+      next();
+      return;
+    }
+    const token = req.headers["cf-access-jwt-assertion"];
+    const protocol = req.headers["x-forwarded-proto"] || req.protocol;
+    const host = req.headers.host;
+    const url = `${protocol}://${host}${req.originalUrl}`;
+    const result = await _chunkWUJPWM4Tjs.validateCloudflareAccessToken.call(void 0,
+      token,
+      {
+        accessConfig: options.accessConfig,
+        allowedEmails: _nullishCoalesce(allowedEmails, () => ( void 0)),
+        skipInDev: options.skipInDev,
+        environment: options.environment
+      },
+      url
+    );
+    if (!result.success) {
+      if (_optionalChain([result, 'access', _4 => _4.error, 'optionalAccess', _5 => _5.code]) === "AUTH_REQUIRED") {
+        if (options.onUnauthorized) {
+          await options.onUnauthorized(req, res, result.error.why);
+        } else {
+          authRequiredResponse(res);
+        }
+        return;
+      }
+      if (_optionalChain([result, 'access', _6 => _6.error, 'optionalAccess', _7 => _7.code]) === "ACCESS_DENIED") {
+        const email = _nullishCoalesce(_optionalChain([result, 'access', _8 => _8.user, 'optionalAccess', _9 => _9.email]), () => ( "unknown"));
+        if (options.onForbidden) {
+          await options.onForbidden(req, res, email);
+        } else {
+          forbiddenResponse(res);
+        }
+        return;
+      }
+      if (options.onUnauthorized) {
+        await options.onUnauthorized(req, res, _nullishCoalesce(_optionalChain([result, 'access', _10 => _10.error, 'optionalAccess', _11 => _11.why]), () => ( "Unknown error")));
+      } else {
+        unauthorizedResponse(res, _nullishCoalesce(_optionalChain([result, 'access', _12 => _12.error, 'optionalAccess', _13 => _13.why]), () => ( "Unknown error")));
+      }
+      return;
+    }
+    if (result.user) {
+      req.user = result.user;
+    }
+    next();
+  };
+}
+var middleware_default = cloudflareAccessAuth;
+exports.AccessDeniedError = _chunkWUJPWM4Tjs.AccessDeniedError; exports.AuthRequiredError = _chunkWUJPWM4Tjs.AuthRequiredError; exports.CloudflareAccessError = _chunkWUJPWM4Tjs.CloudflareAccessError; exports.CloudflareAccessErrorCode = _chunkWUJPWM4Tjs.CloudflareAccessErrorCode; exports.ConfigurationError = _chunkWUJPWM4Tjs.ConfigurationError; exports.InvalidTokenError = _chunkWUJPWM4Tjs.InvalidTokenError; exports.__clearJwksCache = _chunkWUJPWM4Tjs.__clearJwksCache; exports.authRequiredResponse = authRequiredResponse; exports.cloudflareAccessAuth = cloudflareAccessAuth; exports.default = middleware_default; exports.forbiddenResponse = forbiddenResponse; exports.isAccessDeniedError = _chunkWUJPWM4Tjs.isAccessDeniedError; exports.isAuthRequiredError = _chunkWUJPWM4Tjs.isAuthRequiredError; exports.isCloudflareAccessError = _chunkWUJPWM4Tjs.isCloudflareAccessError; exports.isConfigurationError = _chunkWUJPWM4Tjs.isConfigurationError; exports.isInvalidTokenError = _chunkWUJPWM4Tjs.isInvalidTokenError; exports.toAuthError = _chunkWUJPWM4Tjs.toAuthError; exports.unauthorizedResponse = unauthorizedResponse;
+//# sourceMappingURL=index.js.map

package/dist/adapters/express/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/v000281/personal/hono-cloudflare-access-middleware/dist/adapters/express/index.js","../../../src/adapters/express/responses.ts","../../../src/adapters/express/middleware.ts"],"names":[],"mappings":"AAAA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,0DAAgC;AAChC;AACA;ACZO,SAAS,oBAAA,CAAqB,GAAA,EAAe,MAAA,EAAsB;AACxE,EAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,IAAA,CAAK;AAAA,IACnB,OAAA,EAAS,KAAA;AAAA,IACT,KAAA,EAAO;AAAA,MACL,IAAA,EAAM,eAAA;AAAA,MACN,OAAA,EAAS,8BAAA;AAAA,MACT,GAAA,EAAK,MAAA;AAAA,MACL,GAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAC,CAAA;AACH;AAKO,SAAS,oBAAA,CAAqB,GAAA,EAAqB;AACxD,EAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,IAAA,CAAK;AAAA,IACnB,OAAA,EAAS,KAAA;AAAA,IACT,KAAA,EAAO;AAAA,MACL,IAAA,EAAM,eAAA;AAAA,MACN,OAAA,EAAS,cAAA;AAAA,MACT,GAAA,EAAK,+CAAA;AAAA,MACL,GAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAC,CAAA;AACH;AAKO,SAAS,iBAAA,CAAkB,GAAA,EAAqB;AACrD,EAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,IAAA,CAAK;AAAA,IACnB,OAAA,EAAS,KAAA;AAAA,IACT,KAAA,EAAO;AAAA,MACL,IAAA,EAAM,eAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,GAAA,EAAK,sDAAA;AAAA,MACL,GAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAC,CAAA;AACH;ADMA;AACA;AEtBO,SAAS,oBAAA,CACd,OAAA,EACoE;AACpE,EAAA,MAAM,cAAA,mBAAgB,OAAA,CAAQ,aAAA,UAAiB,MAAA;AAE/C,EAAA,OAAO,MAAA,CAAO,GAAA,EAAc,GAAA,EAAe,IAAA,EAAA,GAAsC;AAC/E,IAAA,MAAM,KAAA,EAAO,GAAA,CAAI,IAAA;AACjB,IAAA,MAAM,OAAA,EAAS,GAAA,CAAI,MAAA;AAGnB,IAAA,GAAA,iBAAI,OAAA,mBAAQ,YAAA,6BAAc,QAAA,mBAAS,IAAI,IAAA,GAAK,OAAA,IAAW,SAAA,EAAW;AAChE,MAAA,IAAA,CAAK,CAAA;AACL,MAAA,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,MAAA,EAAQ,GAAA,CAAI,OAAA,CAAQ,yBAAyB,CAAA;AACnD,IAAA,MAAM,SAAA,EAAW,GAAA,CAAI,OAAA,CAAQ,mBAAmB,EAAA,GAAK,GAAA,CAAI,QAAA;AACzD,IAAA,MAAM,KAAA,EAAO,GAAA,CAAI,OAAA,CAAQ,IAAA;AACzB,IAAA,MAAM,IAAA,EAAM,CAAA,EAAA;AAEN,IAAA;AACJ,MAAA;AACA,MAAA;AACE,QAAA;AACA,QAAA;AACA,QAAA;AACA,QAAA;AACF,MAAA;AACA,MAAA;AACF,IAAA;AAEY,IAAA;AACC,MAAA;AACL,QAAA;AACI,UAAA;AACD,QAAA;AACL,UAAA;AACF,QAAA;AACA,QAAA;AACF,MAAA;AAEW,MAAA;AACH,QAAA;AACF,QAAA;AACI,UAAA;AACD,QAAA;AACL,UAAA;AACF,QAAA;AACA,QAAA;AACF,MAAA;AAEI,MAAA;AACI,QAAA;AACD,MAAA;AACL,QAAA;AACF,MAAA;AACA,MAAA;AACF,IAAA;AAGW,IAAA;AACE,MAAA;AACb,IAAA;AAEK,IAAA;AACP,EAAA;AACF;AAGO;AFSU;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/v000281/personal/hono-cloudflare-access-middleware/dist/adapters/express/index.js","sourcesContent":[null,"import type { Response } from \"express\";\n\n/**\n * Generate unauthorized response\n */\nexport function unauthorizedResponse(res: Response, reason: string): void {\n res.status(401).json({\n success: false,\n error: {\n code: \"INVALID_TOKEN\",\n message: \"Invalid authentication token\",\n why: reason,\n fix: \"Please sign in again via Cloudflare Access\",\n },\n });\n}\n\n/**\n * Generate auth required response\n */\nexport function authRequiredResponse(res: Response): void {\n res.status(401).json({\n success: false,\n error: {\n code: \"AUTH_REQUIRED\",\n message: \"Unauthorized\",\n why: \"Authentication required via Cloudflare Access\",\n fix: \"Sign in via Cloudflare Access\",\n },\n });\n}\n\n/**\n * Generate forbidden response\n */\nexport function forbiddenResponse(res: Response): void {\n res.status(403).json({\n success: false,\n error: {\n code: \"ACCESS_DENIED\",\n message: \"Forbidden\",\n why: \"Your email is not authorized to access this resource\",\n fix: \"Contact an administrator if you need access\",\n },\n });\n}\n","import type { Request, Response, NextFunction } from \"express\";\nimport { validateCloudflareAccessToken } from \"../../core\";\nimport type { CloudflareAccessAuthOptions } from \"./types\";\nimport { unauthorizedResponse, authRequiredResponse, forbiddenResponse } from \"./responses\";\n\n/**\n * Creates secure Cloudflare Access authentication middleware for Express.\n *\n * @param options - Configuration options\n * @returns Express middleware handler\n *\n * @example\n * ```typescript\n * import express from 'express';\n * import { cloudflareAccessAuth } from 'cloudflare-access/adapters/express';\n *\n * const app = express();\n *\n * app.use(cloudflareAccessAuth({\n * accessConfig: {\n * teamDomain: 'https://yourteam.cloudflareaccess.com',\n * audTag: 'your-audience-tag',\n * },\n * }));\n *\n * app.get('/protected', (req, res) => {\n * res.json({ email: req.user?.email });\n * });\n * ```\n */\nexport function cloudflareAccessAuth(\n options: CloudflareAccessAuthOptions,\n): (req: Request, res: Response, next: NextFunction) => Promise<void> {\n const allowedEmails = options.allowedEmails ?? null;\n\n return async (req: Request, res: Response, next: NextFunction): Promise<void> => {\n const path = req.path;\n const method = req.method;\n\n // Skip OPTIONS requests and excluded paths\n if (options.excludePaths?.includes(path) || method === \"OPTIONS\") {\n next();\n return;\n }\n\n const token = req.headers[\"cf-access-jwt-assertion\"] as string | undefined;\n const protocol = req.headers[\"x-forwarded-proto\"] || req.protocol;\n const host = req.headers.host;\n const url = `${protocol}://${host}${req.originalUrl}`;\n\n const result = await validateCloudflareAccessToken(\n token,\n {\n accessConfig: options.accessConfig,\n allowedEmails: allowedEmails ?? undefined,\n skipInDev: options.skipInDev,\n environment: options.environment,\n },\n url,\n );\n\n if (!result.success) {\n if (result.error?.code === \"AUTH_REQUIRED\") {\n if (options.onUnauthorized) {\n await options.onUnauthorized(req, res, result.error.why);\n } else {\n authRequiredResponse(res);\n }\n return;\n }\n\n if (result.error?.code === \"ACCESS_DENIED\") {\n const email = result.user?.email ?? \"unknown\";\n if (options.onForbidden) {\n await options.onForbidden(req, res, email);\n } else {\n forbiddenResponse(res);\n }\n return;\n }\n\n if (options.onUnauthorized) {\n await options.onUnauthorized(req, res, result.error?.why ?? \"Unknown error\");\n } else {\n unauthorizedResponse(res, result.error?.why ?? \"Unknown error\");\n }\n return;\n }\n\n // Set user in request\n if (result.user) {\n req.user = result.user;\n }\n\n next();\n };\n}\n\n// Also export as default for convenience\nexport default cloudflareAccessAuth;\n"]}

package/dist/adapters/express/index.mjs ADDED Viewed

@@ -0,0 +1,129 @@
+import {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  InvalidTokenError,
+  __clearJwksCache,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  toAuthError,
+  validateCloudflareAccessToken
+} from "../../chunk-DM2KGIQX.mjs";
+// src/adapters/express/responses.ts
+function unauthorizedResponse(res, reason) {
+  res.status(401).json({
+    success: false,
+    error: {
+      code: "INVALID_TOKEN",
+      message: "Invalid authentication token",
+      why: reason,
+      fix: "Please sign in again via Cloudflare Access"
+    }
+  });
+}
+function authRequiredResponse(res) {
+  res.status(401).json({
+    success: false,
+    error: {
+      code: "AUTH_REQUIRED",
+      message: "Unauthorized",
+      why: "Authentication required via Cloudflare Access",
+      fix: "Sign in via Cloudflare Access"
+    }
+  });
+}
+function forbiddenResponse(res) {
+  res.status(403).json({
+    success: false,
+    error: {
+      code: "ACCESS_DENIED",
+      message: "Forbidden",
+      why: "Your email is not authorized to access this resource",
+      fix: "Contact an administrator if you need access"
+    }
+  });
+}
+// src/adapters/express/middleware.ts
+function cloudflareAccessAuth(options) {
+  const allowedEmails = options.allowedEmails ?? null;
+  return async (req, res, next) => {
+    const path = req.path;
+    const method = req.method;
+    if (options.excludePaths?.includes(path) || method === "OPTIONS") {
+      next();
+      return;
+    }
+    const token = req.headers["cf-access-jwt-assertion"];
+    const protocol = req.headers["x-forwarded-proto"] || req.protocol;
+    const host = req.headers.host;
+    const url = `${protocol}://${host}${req.originalUrl}`;
+    const result = await validateCloudflareAccessToken(
+      token,
+      {
+        accessConfig: options.accessConfig,
+        allowedEmails: allowedEmails ?? void 0,
+        skipInDev: options.skipInDev,
+        environment: options.environment
+      },
+      url
+    );
+    if (!result.success) {
+      if (result.error?.code === "AUTH_REQUIRED") {
+        if (options.onUnauthorized) {
+          await options.onUnauthorized(req, res, result.error.why);
+        } else {
+          authRequiredResponse(res);
+        }
+        return;
+      }
+      if (result.error?.code === "ACCESS_DENIED") {
+        const email = result.user?.email ?? "unknown";
+        if (options.onForbidden) {
+          await options.onForbidden(req, res, email);
+        } else {
+          forbiddenResponse(res);
+        }
+        return;
+      }
+      if (options.onUnauthorized) {
+        await options.onUnauthorized(req, res, result.error?.why ?? "Unknown error");
+      } else {
+        unauthorizedResponse(res, result.error?.why ?? "Unknown error");
+      }
+      return;
+    }
+    if (result.user) {
+      req.user = result.user;
+    }
+    next();
+  };
+}
+var middleware_default = cloudflareAccessAuth;
+export {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  InvalidTokenError,
+  __clearJwksCache,
+  authRequiredResponse,
+  cloudflareAccessAuth,
+  middleware_default as default,
+  forbiddenResponse,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  toAuthError,
+  unauthorizedResponse
+};
+//# sourceMappingURL=index.mjs.map

package/dist/adapters/express/index.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/adapters/express/responses.ts","../../../src/adapters/express/middleware.ts"],"sourcesContent":["import type { Response } from \"express\";\n\n/**\n * Generate unauthorized response\n */\nexport function unauthorizedResponse(res: Response, reason: string): void {\n res.status(401).json({\n success: false,\n error: {\n code: \"INVALID_TOKEN\",\n message: \"Invalid authentication token\",\n why: reason,\n fix: \"Please sign in again via Cloudflare Access\",\n },\n });\n}\n\n/**\n * Generate auth required response\n */\nexport function authRequiredResponse(res: Response): void {\n res.status(401).json({\n success: false,\n error: {\n code: \"AUTH_REQUIRED\",\n message: \"Unauthorized\",\n why: \"Authentication required via Cloudflare Access\",\n fix: \"Sign in via Cloudflare Access\",\n },\n });\n}\n\n/**\n * Generate forbidden response\n */\nexport function forbiddenResponse(res: Response): void {\n res.status(403).json({\n success: false,\n error: {\n code: \"ACCESS_DENIED\",\n message: \"Forbidden\",\n why: \"Your email is not authorized to access this resource\",\n fix: \"Contact an administrator if you need access\",\n },\n });\n}\n","import type { Request, Response, NextFunction } from \"express\";\nimport { validateCloudflareAccessToken } from \"../../core\";\nimport type { CloudflareAccessAuthOptions } from \"./types\";\nimport { unauthorizedResponse, authRequiredResponse, forbiddenResponse } from \"./responses\";\n\n/**\n * Creates secure Cloudflare Access authentication middleware for Express.\n *\n * @param options - Configuration options\n * @returns Express middleware handler\n *\n * @example\n * ```typescript\n * import express from 'express';\n * import { cloudflareAccessAuth } from 'cloudflare-access/adapters/express';\n *\n * const app = express();\n *\n * app.use(cloudflareAccessAuth({\n * accessConfig: {\n * teamDomain: 'https://yourteam.cloudflareaccess.com',\n * audTag: 'your-audience-tag',\n * },\n * }));\n *\n * app.get('/protected', (req, res) => {\n * res.json({ email: req.user?.email });\n * });\n * ```\n */\nexport function cloudflareAccessAuth(\n options: CloudflareAccessAuthOptions,\n): (req: Request, res: Response, next: NextFunction) => Promise<void> {\n const allowedEmails = options.allowedEmails ?? null;\n\n return async (req: Request, res: Response, next: NextFunction): Promise<void> => {\n const path = req.path;\n const method = req.method;\n\n // Skip OPTIONS requests and excluded paths\n if (options.excludePaths?.includes(path) || method === \"OPTIONS\") {\n next();\n return;\n }\n\n const token = req.headers[\"cf-access-jwt-assertion\"] as string | undefined;\n const protocol = req.headers[\"x-forwarded-proto\"] || req.protocol;\n const host = req.headers.host;\n const url = `${protocol}://${host}${req.originalUrl}`;\n\n const result = await validateCloudflareAccessToken(\n token,\n {\n accessConfig: options.accessConfig,\n allowedEmails: allowedEmails ?? undefined,\n skipInDev: options.skipInDev,\n environment: options.environment,\n },\n url,\n );\n\n if (!result.success) {\n if (result.error?.code === \"AUTH_REQUIRED\") {\n if (options.onUnauthorized) {\n await options.onUnauthorized(req, res, result.error.why);\n } else {\n authRequiredResponse(res);\n }\n return;\n }\n\n if (result.error?.code === \"ACCESS_DENIED\") {\n const email = result.user?.email ?? \"unknown\";\n if (options.onForbidden) {\n await options.onForbidden(req, res, email);\n } else {\n forbiddenResponse(res);\n }\n return;\n }\n\n if (options.onUnauthorized) {\n await options.onUnauthorized(req, res, result.error?.why ?? \"Unknown error\");\n } else {\n unauthorizedResponse(res, result.error?.why ?? \"Unknown error\");\n }\n return;\n }\n\n // Set user in request\n if (result.user) {\n req.user = result.user;\n }\n\n next();\n };\n}\n\n// Also export as default for convenience\nexport default cloudflareAccessAuth;\n"],"mappings":";;;;;;;;;;;;;;;;;;AAKO,SAAS,qBAAqB,KAAe,QAAsB;AACxE,MAAI,OAAO,GAAG,EAAE,KAAK;AAAA,IACnB,SAAS;AAAA,IACT,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SAAS;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF,CAAC;AACH;AAKO,SAAS,qBAAqB,KAAqB;AACxD,MAAI,OAAO,GAAG,EAAE,KAAK;AAAA,IACnB,SAAS;AAAA,IACT,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SAAS;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF,CAAC;AACH;AAKO,SAAS,kBAAkB,KAAqB;AACrD,MAAI,OAAO,GAAG,EAAE,KAAK;AAAA,IACnB,SAAS;AAAA,IACT,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SAAS;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF,CAAC;AACH;;;ACfO,SAAS,qBACd,SACoE;AACpE,QAAM,gBAAgB,QAAQ,iBAAiB;AAE/C,SAAO,OAAO,KAAc,KAAe,SAAsC;AAC/E,UAAM,OAAO,IAAI;AACjB,UAAM,SAAS,IAAI;AAGnB,QAAI,QAAQ,cAAc,SAAS,IAAI,KAAK,WAAW,WAAW;AAChE,WAAK;AACL;AAAA,IACF;AAEA,UAAM,QAAQ,IAAI,QAAQ,yBAAyB;AACnD,UAAM,WAAW,IAAI,QAAQ,mBAAmB,KAAK,IAAI;AACzD,UAAM,OAAO,IAAI,QAAQ;AACzB,UAAM,MAAM,GAAG,QAAQ,MAAM,IAAI,GAAG,IAAI,WAAW;AAEnD,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA;AAAA,QACE,cAAc,QAAQ;AAAA,QACtB,eAAe,iBAAiB;AAAA,QAChC,WAAW,QAAQ;AAAA,QACnB,aAAa,QAAQ;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAEA,QAAI,CAAC,OAAO,SAAS;AACnB,UAAI,OAAO,OAAO,SAAS,iBAAiB;AAC1C,YAAI,QAAQ,gBAAgB;AAC1B,gBAAM,QAAQ,eAAe,KAAK,KAAK,OAAO,MAAM,GAAG;AAAA,QACzD,OAAO;AACL,+BAAqB,GAAG;AAAA,QAC1B;AACA;AAAA,MACF;AAEA,UAAI,OAAO,OAAO,SAAS,iBAAiB;AAC1C,cAAM,QAAQ,OAAO,MAAM,SAAS;AACpC,YAAI,QAAQ,aAAa;AACvB,gBAAM,QAAQ,YAAY,KAAK,KAAK,KAAK;AAAA,QAC3C,OAAO;AACL,4BAAkB,GAAG;AAAA,QACvB;AACA;AAAA,MACF;AAEA,UAAI,QAAQ,gBAAgB;AAC1B,cAAM,QAAQ,eAAe,KAAK,KAAK,OAAO,OAAO,OAAO,eAAe;AAAA,MAC7E,OAAO;AACL,6BAAqB,KAAK,OAAO,OAAO,OAAO,eAAe;AAAA,MAChE;AACA;AAAA,IACF;AAGA,QAAI,OAAO,MAAM;AACf,UAAI,OAAO,OAAO;AAAA,IACpB;AAEA,SAAK;AAAA,EACP;AACF;AAGA,IAAO,qBAAQ;","names":[]}

package/dist/adapters/fastify/index.d.mts ADDED Viewed

@@ -0,0 +1,111 @@
+import { C as CloudflareAccessConfig, e as CloudflareAccessMiddlewareEnv, g as CloudflareAccessUser } from '../../jwks-ChdyyS_L.mjs';
+export { A as AccessDeniedError, a as AuthRequiredError, c as CloudflareAccessError, d as CloudflareAccessErrorCode, f as CloudflareAccessPayload, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, t as toAuthError } from '../../jwks-ChdyyS_L.mjs';
+import * as fastify from 'fastify';
+import { FastifyReply, preHandlerHookHandler, FastifyPluginAsync } from 'fastify';
+import 'jose';
+/**
+ * Options for creating Cloudflare Access authentication for Fastify
+ */
+interface CloudflareAccessAuthOptions {
+    /** Cloudflare Access configuration */
+    accessConfig: CloudflareAccessConfig;
+    /** Optional email allowlist. Access policy should still be configured at Cloudflare. */
+    allowedEmails?: string[];
+    /** Custom unauthorized handler */
+    onUnauthorized?: (request: fastify.FastifyRequest, reply: fastify.FastifyReply, reason: string) => void | Promise<void>;
+    /** Custom forbidden handler */
+    onForbidden?: (request: fastify.FastifyRequest, reply: fastify.FastifyReply, email: string) => void | Promise<void>;
+    /** Paths to exclude from auth check */
+    excludePaths?: string[];
+    /** Whether to skip JWT validation outside production */
+    skipInDev?: boolean;
+    /** Environment indicator */
+    environment?: string;
+}
+/**
+ * Get Cloudflare Access configuration from environment variables
+ */
+declare function getCloudflareAccessConfigFromEnv(env: CloudflareAccessMiddlewareEnv): CloudflareAccessConfig;
+/**
+ * Generate unauthorized response
+ */
+declare function unauthorizedResponse(reply: FastifyReply, reason: string): void;
+/**
+ * Generate auth required response
+ */
+declare function authRequiredResponse(reply: FastifyReply): void;
+/**
+ * Generate forbidden response
+ */
+declare function forbiddenResponse(reply: FastifyReply): void;
+declare module "fastify" {
+    interface FastifyRequest {
+        /** Authenticated user from Cloudflare Access */
+        user?: CloudflareAccessUser;
+    }
+}
+/**
+ * Creates a preHandler hook for Cloudflare Access authentication.
+ *
+ * @param options - Configuration options
+ * @returns Fastify preHandler hook
+ *
+ * @example
+ * ```typescript
+ * import fastify from 'fastify';
+ * import { cloudflareAccessPreHandler } from 'cloudflare-access/adapters/fastify';
+ *
+ * const app = fastify();
+ *
+ * app.addHook('preHandler', cloudflareAccessPreHandler({
+ *   accessConfig: {
+ *     teamDomain: 'https://yourteam.cloudflareaccess.com',
+ *     audTag: 'your-audience-tag',
+ *   },
+ * }));
+ *
+ * app.get('/protected', async (request, reply) => {
+ *   return { email: request.user?.email };
+ * });
+ * ```
+ */
+declare function cloudflareAccessPreHandler(options: CloudflareAccessAuthOptions): preHandlerHookHandler;
+/**
+ * Creates a Fastify plugin for Cloudflare Access authentication.
+ *
+ * @param options - Configuration options
+ * @returns Fastify plugin
+ *
+ * @example
+ * ```typescript
+ * import fastify from 'fastify';
+ * import { cloudflareAccessPlugin } from 'cloudflare-access/adapters/fastify';
+ *
+ * const app = fastify();
+ *
+ * app.register(cloudflareAccessPlugin, {
+ *   accessConfig: {
+ *     teamDomain: 'https://yourteam.cloudflareaccess.com',
+ *     audTag: 'your-audience-tag',
+ *   },
+ * });
+ *
+ * app.get('/protected', async (request, reply) => {
+ *   return { email: request.user?.email };
+ * });
+ * ```
+ */
+declare const cloudflareAccessPlugin: FastifyPluginAsync<CloudflareAccessAuthOptions>;
+declare module "fastify" {
+    interface FastifyRequest {
+        /** Authenticated user from Cloudflare Access */
+        user?: CloudflareAccessUser;
+    }
+}
+export { type CloudflareAccessAuthOptions, CloudflareAccessConfig, CloudflareAccessMiddlewareEnv, CloudflareAccessUser, authRequiredResponse, cloudflareAccessPlugin, cloudflareAccessPreHandler, cloudflareAccessPlugin as default, forbiddenResponse, getCloudflareAccessConfigFromEnv, unauthorizedResponse };